The reason rexd works like this is not a bug. By design, rexd has no
access control built into it at all, so using rexd makes your system's
security as good as it would be if you had all your user and system
accounts except root without a password. Worse, it also lets everyone
mount filesystems from random places to your system.
What's even worse, on some systems rexd's manual page plain and simple
lies about a `secure' option, which doesn't exist. I hear that on
some newer systems the `-s' option works, but I wouldn't count on it,
with the history of rexd being like this.
You can check if your system is running rexd by giving the command
rpcinfo. Example:
output of `rpcinfo -p localhost':
program vers proto port
[ stuff deleted ]
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100001 2 udp 3319 rstatd
100001 3 udp 3319 rstatd
100017 1 tcp 1024 rexd
[ stuff deleted ]
If there's a line ending with 'rexd', then the system is very
vulnerable. Rexd can be turned off by editing the file
/etc/inetd.conf (on most recent systems) or /etc/servers (on some
older systems) and restaarting inetd with `kill -1 inetdpid', where
inetdpid is the process ID of inetd, found out with `ps'.
Don't confuse rpc.rexd with rexecd, like a version of COPS does.
rexecd is a relatively harmless TCP stream server, though on some very
old releases of a common workstation vendor there's also a security
hole (but not very serious unless you use `wheel' as a privileged
group). Rexecd asks a password, while rpc.rexd just believes
everything you tell it without asking any kind of proof.
//Jyrki